I developed a simple IoT device. It has a built-in HTTP webserver to set the general options of the system. Now the customer asks for "in-app" updates, that might be delivered free of charge or after purchasing them.
Here my thoughts:
- the server that hosts the website of the product will handle all the e-commerce stuff
- the server will provide a REST service so my device can ask which packages are available for download
- the server itself has to check (given the device ID) which packages are free to download and which were purchased by the user
- in this way I can list the available packages on my built-in web app, download them directly (i.e. from FTP) and store them into the ESP32 flash
My question is: I believe I can implement this workflow from scratch, but I'm not an expert in security and I'm afraid I can make dumb mistakes providing critical flaws. Is there a protocol or at least some standardized guidelines to provide such a feature for IoT devices?
It's not a life-critical system. I'm not looking for a very high security standards. But as said I want to avoid newbie mistakes.
Not sure which tags are more appropriate for this question. Please feel free to edit it!
